Ubuntu

cacti remote injection exploit

Reported by Chris Weiss on 2007-01-08
266
Affects Status Importance Assigned to Milestone
cacti (Debian)
Fix Released
Unknown
cacti (Ubuntu)
High
Unassigned
Breezy
High
Unassigned
Dapper
High
Unassigned
Edgy
High
Kees Cook

Bug Description

Binary package hint: cacti

exploit is described in this thread http://forums.cacti.net/viewtopic.php?t=18846
Dapper is vulnerable to this on a default install of apache2 php5 and cacti
upstream claims to be patched.

CVE References

Changed in cacti:
status: Unknown → Confirmed
Mark Schouten (mark-prevented) wrote :

This is quite easy to work around. Add the following lines to /etc/cacti/apache.conf:

        <Files cmd.php>
                Deny from All
        </Files>
        <Files poller.php>
                Deny from All
        </Files>

These script shouldn't be reachable through the webserver anyways.

Changed in cacti:
status: Unconfirmed → Confirmed
Brak (brak-archive) wrote :

Just saw someone trying this exploit out on a box.. :-( saw the exploit from sans at the end of december, but still no patch to Ubuntu!!

StefanPotyra (sistpoty) wrote :

Setting importance to high, due to impact of exploit.

Changed in cacti:
importance: Undecided → High
Jan Van Buggenhout (chipzz) wrote :

This thread has patches for 0.8.6h and 0.8.6i:

http://forums.cacti.net/post-88714.html

Changed in cacti:
status: Confirmed → Fix Committed
StefanPotyra (sistpoty) wrote :

just filed a sync request to get the fixed version from debian into feisty.

StefanPotyra (sistpoty) wrote :

Feisty package is built and thus fixed... (in case this bug vanishes completely from the list of -swat, I'll reopen it)

Changed in cacti:
status: Confirmed → Fix Released
Kees Cook (kees) on 2007-01-22
Changed in cacti:
importance: Undecided → High
status: Unconfirmed → Confirmed
importance: Undecided → High
status: Unconfirmed → Confirmed
importance: Undecided → High
status: Unconfirmed → Confirmed
delfuego (ubuntu-com-site) wrote :

Question: is there a plan to push a fix for this out to Dapper?

StefanPotyra (sistpoty) wrote :

Yes the plan is there. However I cannot promise you a date when this will happen, since we are a little bit low on manpower :(.

Changed in cacti:
status: Fix Committed → Fix Released
pirast (pirast) on 2007-01-27
Changed in cacti:
assignee: nobody → pirast
assignee: nobody → pirast
pirast (pirast) on 2007-01-27
Changed in cacti:
status: Confirmed → In Progress
status: Confirmed → In Progress
pirast (pirast) wrote :

I have .debdiffs prepared which need some testing.

I am going to attach them. It would be nice if you could try those and report if they work. Please also include your distribution.

pirast (pirast) wrote :
pirast (pirast) wrote :
pirast (pirast) wrote :

I am now going to attach debs fixing the issue for Edgy and Dapper.

It would be nice if you could try those and report if they work. Please also include your distribution.

pirast (pirast) wrote :
pirast (pirast) wrote :

The cacti Dapper deb does not seem to work, I would suggest not to try it since it seems to break some stuff..

pirast (pirast) wrote :

The cacti Edgy deb works fine for me when upgrading from 0.8.6h-3. Could anyone please confirm that so that we can push the updated deb to edgy-security?

pirast (pirast) wrote :

The cacti Dapper deb works fine for me now, also.

The problem was that I did not receive any notifications from debconf.

Now, I got one saying that a table already exists. I selected ignore and the update installed successfully:

root@martin-desktop:/tmp# dpkg -i cacti_0.8.6h-1ubuntu3.1_all.deb
(Lese Datenbank ... 13579 Dateien und Verzeichnisse sind derzeit installiert.)
Vorbereiten zum Ersetzen von cacti 0.8.6h-1ubuntu3 (durch cacti_0.8.6h-1ubuntu3.1_all.deb) ...
Entpacke Ersatz für cacti ...
Richte cacti ein (0.8.6h-1ubuntu3.1) ...
dbconfig-common: writing config to /etc/dbconfig-common/cacti.conf
Replacing config file /etc/cacti/debian.php with new version
granting access to database cacti for cacti@localhost: already exists.
creating database cacti: already exists.
error encountered populating database:
mysql said: ERROR 1050 (42S01) at line 5: Table 'cdef' already exists
dbconfig-common: cacti configure: ignoring errors from here forwards
dbconfig-common: flushing administrative password

:::::

Here also:
Could anyone please confirm that it works for Dapper so that we can push the updated deb to dapper-security?

pirast (pirast) wrote :

New cacti Edgy deb, available at [1], needs further user testing.

[1] http://gamesplace.info/opensource/ubuntu/cacti/cacti_0.8.6h-1ubuntu3.1_all.deb

New cacti Dapper deb should work but has to be fixed so that no dialogue appears.

Changed in cacti:
status: In Progress → Needs Info
Kees Cook (kees) wrote :

Hi Martin, what's the status of these debdiffs? It sounds like they need to be modified in some way to deal with debconf changes, is that correct?

pirast (pirast) wrote :

Hi Kees, the Edgy debdiff works fine, the Dapper debdiff has to be modified (I didn't yet find out how)

pirast (pirast) on 2007-03-03
Changed in cacti:
assignee: pirast → nobody
status: In Progress → Confirmed
assignee: pirast → nobody
Wesley Schwengle (wesleys) wrote :

Hi,

I got "hacked" because of this bug (running edgy), Is their an ETA available for the fix? Willing to test it :)

Kees Cook (kees) wrote :

Publishing edgy update now. Dapper still needs someone to fix the database errors.

Changed in cacti:
assignee: nobody → keescook
status: Needs Info → Fix Committed
pirast (pirast) wrote :

Kees, thanks..

Sadly, nobody else of the initial reporters wanted to test the Edgy fix :( Very motivating ;)

Kees Cook (kees) on 2007-03-12
Changed in cacti:
status: Fix Committed → Fix Released
Wesley Schwengle (wesleys) wrote :

Thanks for the fix. Warned some friends as well so they can start the update as well.

Marco Rodrigues (gothicx) wrote :

Breezy support is over.. Today it's Breezy End Of Life!

Changed in cacti:
status: Confirmed → Rejected
Kees Cook (kees) wrote :

Trent Lloyd tested similar fixes, and they seem to work, so I've published that version. It should be on the archives shortly.

Changed in cacti:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.